A new ransomware called RegretLocker uses a variety of advanced features that allow it to encrypt virtual hard drives diskς και να κλείνει τα ανοιχτά archives to encrypt them.
RegretLocker was discovered in October 2020 and is a simple ransomware in terms of appearance, as it does not contain a bullying message for ransom, and instead of a Tor site it uses an email for communication.
When encrypting files, RegretLocker adds the .mouse extension with harmless sounds to encrypted filenames.
But what makes it particularly dangerous is the advanced features it has that we usually do not see in ransomware infections. See how it works:
When you create a Windows Hyper-V virtual machine, a virtual hard disk is created and saved to a VHD or VHDX file.
These virtual hard disk files contain a raw disk image, including the partition table, and like regular disk drives, can range in size from a few gigabytes to terabyte.
When an ransomware encrypts files on a computer, it is ineffective when encrypting a large file as it slows down the encryption process.
In a sample of the RegretLocker ransomware discovered by MalwareHunterTeam and analyzed by Advanced Intel Vitali Kremez, RegretLocker uses an interesting technique of placing a virtual disk file so that each of its files can be encrypted separately.
To do this, RegretLocker uses Windows functions Virtual Storage API OpenVirtualDisk, AttachVirtualDisk και GetVirtualDiskPhysicalPath για να τοποθετήσει εικονικούς δίσκους. Aναζητά συγκεκριμένα το VHD και το τοποθετεί όταν εντοπιστεί.
Once the virtual unit mounted as a physical disk in Windows, the ransomware can encrypt each one individually, which increases the encryption speed.
In addition to using the Virtual Storage API, RegretLocker also uses the Windows Restart Manager API to terminate Windows processes or services that keep a file open during encryption.
Windows Restart Manager is only used by some ransomware such as ta REvil (Sodinokibi), Ryuk, Conti, ThunderX / Ako, Medusa Locker, SamSam and LockerGoga.
RegretLocker is not yet very active, but it is a new family to watch.